Fed Chairman Ben Bernanke went on the offensive yesterday at the annual meeting of the American Economic Association, arguing that lax regulatory oversight, not loose monetary policy, led to the housing bubble and subsequent financial crisis. You can read his remarks here.

After working behind the scenes for most of the fall, lobbying legislators one-on-one, Bernanke took a very public position yesterday, blaming the rise in housing prices on the alternative types of variable rate mortgages which priced in more demand than that which could be expected from prevailing interest rates.

Bernanke argued that “stronger regulation and supervision aimed at problems with underwriting practices and lenders’ risk management would have been a more effective and surgical approach to constraining the housing bubble than a general increase in interest rates.”

Further, he said that “the lesson I take from this experience is not that financial regulation and supervision are ineffective for controlling emerging risks, but that their execution must be better and smarter.”

To some extent he’s trying to deflect the spotlight onto other regulatory agencies chartered with overseeing the factory for different kinds of mortgages. But Bernanke can’t have it both ways. He’s argued in the past that the Fed has a role in consumer financial protection and has lobbied against the CFPA, so, if it is the case that the Fed’s mandate extends to the financial consumer, why did he let these mortgages with low monthly payments proliferate? While he was convincing that there were other factors beyond monetary policy that led to the housing bubble, he was less clear on what kind of regulatory structure would have prevented the bubble and how we should move forward on consumer financial protection. At this point, my bet is that the CFPA has enough momentum to pass with financial reg reform.

Information infrastructure provider EMC yesterday announced that it will buy IT GRC vendor Archer. According to the press release, EMC bought Archer for it’s “technologies for information risk management and information security” and will operate as part of the company’s RSA security division. Archer will become part of the EMC information management stack, integrated tightly with EMC products, like their widely renowned storage solutions.

Archer’s solutions address the challenges faced by IT managers in the areas of IT compliance and policy management. Some of our customers are using Archer on a departmental basis within IT to manage things like vulnerability assessment reporting, configuration management and PCI compliance. Archer, for instance, helps companies prepare for IT audits and compliance reporting.

These same customers see OpenPages as a way to understand and manage their risk exposure across the enterprise through enterprise risk assessments and integrated reporting, whether by process, program or function. In this way, OpenPages helps ensure that companies can achieve their business-level objectives, managed by the Chief Risk Officer and Business Unit heads. They use our ITG solution to integrate IT risk with their overall enterprise risk posture. So, for instance, OpenPages helps companies address the IT, compliance and operational risk issues like the ones faced by MF Global (not an OpenPages customer), who a couple weeks ago was fined $10 million in connection with a rogue trading loss of $141 million.

Both IT GRC and Enterprise GRC solutions are critical components of an effective Enterprise Risk Management program; where you start will depend upon your company’s priorities.

For those of you on boards of directors or supporting them, you’ll want to focus on new governance-related regulations recently issued by the SEC. Originally proposed for comment last summer, these rules take effect February 28, 2010, in time for many companies’ upcoming 10-K and proxy season.

Risk. A particular focus of the new requirements is the board’s role in overseeing risk, focusing on such matters as how the board administers its oversight function – for instance whether through the entire board, a separate risk committee, or the audit committee. Also, discussion of the company’s compensation policies or practices as they relate to risk management and risk-taking incentives that can affect the company’s risk and risk management. The release suggests also that companies may want to disclose how the board receives information from individuals with day-to-day management responsibilities.

Director Qualifications and Experience. Existing disclosure requirements are expanded to include, for each director and nominee, information leading to the board’s conclusion that the person should serve as a director of the company, focusing on such matters as the individual’s experience, qualifications, attributes, and skills.

Compensation. The rules call for revised reporting of stock and option awards in the summary compensation table and director compensation table, and disclosure of certain potential conflicts of interest of compensation consultants. Rather than reporting the dollar amount recognized for financial statement purposes for the fiscal year, the rules require reporting the aggregate grant date fair value of stock and option awards granted in the fiscal year, with special instructions for awards subject to performance conditions.

Board Leadership Structure. Disclosure is required about the board’s leadership structure, including why it is deemed best for the company and why it was decided to combine or separate the CEO and board chair positions. Also, where they’re combined, disclosure about whether a lead independent director is in place and its leadership role.

Other required disclosures relate to such matters as: Other board seats held by directors and nominees; how diversity is considered in identifying director candidates; and legal actions involving a company’s executive officers, directors, and director nominees.

There’s a lot here, and boards, corporate secretaries, governance officers and others who support the board’s activities will need to understand the new rules and effect compliance. For certain matters, such as requirements regarding risk, we can expect some companies to reconsider their risk management activities to ensure their substance is in line with desired disclosures.

We recently had an interesting discussion on what GRC professionals are hoping to achieve in 2010. We had so much fun we decided to publish a 2010 wish list for risk and compliance managers. The list is based on conversations we had with our customers, prospects and industry experts over the past several months.

Why are there 10? Well, as George Carlin mused in his skit about Moses and The Ten Commandments, “because 10 sounds official. Ten sounds important! Ten is the basis for the decimal system, it’s a decade, it’s a psychologically satisfying number (the top ten, the ten most wanted, the ten best dressed). So having ten commandments was really a marketing decision!”

All kidding aside, we’d love to get your reaction to our list and see if we left anything out. We’ll drill down into more detail for each one over the next ten days! Here’s the list:

If you’re in the financial services sector, any GRC manager’s wish list includes regulatory clarity for 2010. In the depths of the financial crisis, the Obama administration promised financial services regulatory reform. President Obama himself remarked during his inaugural address: “But this crisis has reminded us that without a watchful eye, the market can spin out of control.” But what has happened since then?

A credit card bill was passed, but meaningful overhaul is still buried in the legislative process, and there are still major differences between the House and Senate versions of the critical elements of reg reform, including the systemic risk regulator, consumer protection and mortgage reform. Last week, Senator Dodd, who chairs the powerful Senate Committee on Banking, Housing and Urban affairs, announced that he wouldn’t be seeking reelection. Given the narrow margin in the Senate and his likely desire to get something done before he retires, we’re likely to see more compromise before anything gets passed.

Further, the political climate in Washington has shifted over the last year, and financial services reg reform is not the top priority for the administration–health care is (and now terrorism). In the end, as the political momentum behind reg reform fragments into competing alternatives, GRC managers are going to have to accept this uncertainty and the current regulatory structure, which may endure longer than expected. Of course, this in and of itself offers some clarity, which explains why we’re continuing to see strong growth in the GRC platform market, as companies move forward with their plans for integrated risk management, despite the uncertainty.

Risk management should be viewed as a competency that is embedded in the organization. Coming in at #2 in the 2010 GRC Wish List however, “Better Collaboration with the Business” reflects the lack of understanding and poor communication that exists today between the risk function and business managers.

Surveys have shown that only 40 percent of respondents find the importance of risk management to be widely understood throughout the company, suggesting that more needs to be done to embed risk culture and risk thinking more deeply in the institution.

Incorporating risk management into everyday business processes will enable executives to focus on those elements of their risk activity that have the greatest positive impact on the organization.

Business managers can spend less time on assessments and more time on proactively managing risk and processes to meet company objectives.

Providing enhanced visibility into the risk landscape, integrated risk management empowers business managers to make smarter decisions that maximize value, reduce costs and balance risk with returns. When embedded into everyday processes at all levels of the organization, risk management will drive business performance.

It’s become clear that a risk-aware corporate culture is of critical importance to an organization. In the past year alone, we’ve seen plenty of examples in the news where a lack of risk-aware corporate culture has hurt companies, some beyond repair. Coming in at #3 on the 2010 GRC Wish List is a “Robust Organizational Risk Culture”.

While it is critical to be thoughtful, disciplined, and strategic in your approach, it’s also important to understand how technology can promote a risk-aware culture and become a tool to embed effective integrated compliance and risk management practices within an organization. It can act as a training and awareness tool, a marketing tool, and can help build accountability and push policies and processes into daily activities.

Does your organizational culture reinforce your strategy and risk appetite or undermine it? Pricewaterhouse Coopers has developed a “Risk Culture Self Assessment” that will help you understand where your organization stands in terms of how it manages risk. They also published a five-step guide titled, “Building a risk-aware culture for success.”

Several months ago I had the pleasure of presenting with Richard Brilliant, Carnival’s vice president and chief audit executive of Audit Services in a Compliance Week webinar titled: “Leveraging the Power of Integrated Risk Management”. Richard began his presentation by asking a very telling question: “Who specifically is best suited to manage risk in your organization?” The answer of course was “Everyone”. After all, enterprise risk management is about managing risks across multiple risk and compliance disciplines as well as across multiple business units. In other words, ERM requires everyone’s participation to be truly effective and risk awareness and expertise must be instilled at all levels of the organization.

Coming in at #4 on the 2010 GCR Wish List, Risk Expertise is something that needs to start at the top. Risk expertise is a skill set that boards are looking for in their executive teams and is something that could potentially find its way into regulatory reform this year.

Sponsored by the UK government and published this past fall, the Walker Review recommends overhauling the boards of banks and other big financial institutions by requiring the Chief Risk Officer to have a reporting line to the risk committee, in addition to strengthening the role of non-executives and giving them new responsibilities to monitor risk and remuneration.

Some of the specific recommendations in the Walker Review include:

Banks should have board level risk committees chaired by non-executive

Risk committees to scrutinise and if necessary block big transactions

Chief Risk Officer to have reporting line to risk committee

Chief Risk Officer can only be sacked with agreement of board

It is clear that risk management will be under increasing scrutiny in the UK (and across the globe), and that risk expertise will be increasingly important in 2010.

“Better Collaboration with the Business” was in the #2 spot on our 2010 GRC Wish List and it talked about the need to embed risk management within the business by incorporating risk management practices into everyday business processes. Business line managers should be making risk-based decisions. But this requires them to be able to use internal sources of risk data from across the enterprise and, when available, external risk data.

Another major area of concern is how the constantly increasing and changing array of rules, regulations and industry standards is affecting existing processes and systems. In many cases, the technology solutions that support these processes are under extreme pressure and cannot adapt to satisfy the business needs. Meeting these regulations and standards requires gathering and storing risk data over a significant time frame. It also requires integrated risk reporting of the data for easy consumption by internal and external constituencies such as senior management and regulators.

Our #3 item, “Robust Organizational Risk Culture” talked about how technology can play a role in helping to create a robust risk culture. But it is clear that technology is an enabler and not a complete solution. Businesses must evolve their risk management methodologies to meet these changing requirements. The goal is to establish an effective enterprise-wide risk management program that is flexible to respond to change and it is tailored to an organization’s corporate strategies, business activities and external environment.

Many organizations that I work with are examining their risk management practices and are expecting to make significant changes in 2010. Investment in risk management systems, processes and technologies will be an essential step for many organizations. What is your organization doing to improve the effectiveness or its risk management processes and systems this coming year?

It seems we can’t pick up a newspaper today without seeing another story on top management compensation, and its role in the near financial system meltdown. As Congress and the Administration wrestle with regulatory reform, fingers continue to point at CEOs and other senior executives who reaped huge rewards for taking what are deemed to be outsized risks – risks that brought some of their companies, and indeed the financial system, to the brink of disaster. The SEC’s new disclosure rules will shed more of a spotlight on executive pay and how companies and boards deal with corporate risk, and anger over “outsized” pay is boiling over in the form of regulatory reform and additional proposed taxes on financial services industry participants.

Certainly executive compensation should recognize the degree of risk inherent in performance. No one wants to see a CEO “bet the ranch” in a “heads the CEO wins, and tails shareholders and the taxpayers lose” scenario. So, yes, getting risk-reward back in balance at the top management level makes eminent sense, and already is under way.

With that said, however, we shouldn’t fall into a trap of thinking that dealing with the compensation issues can by itself address corporate risk. Those of you with leadership roles in risk management, compliance, auditing, and related areas in your organizations know full well that dealing with risk at the CEO level will not by itself transform how risk is managed throughout the organization. One can argue that CEO compensation has played only a limited role in causing financial institutions to take on such massive risks in the first place. Chief executives already have solid motivation to ensure the companies they lead achieve long term success, and certainly simply keeping their prestigious and lucrative job and reputation in tact are strong motivators. CEOs I’ve dealt with put the success of the company at the same if not higher level than acquiring personal more riches. Make no mistake, many do want to enhance their wealth, and some continue to keep score with peers, but putting their own personal objectives ahead of the company’s and its shareholders is not typical.

So, I hope and trust that neither the powers inside the Beltway nor corporate leaders and boards will think risk management is primarily about managing CEO’s motivations. The focus needs to be on risk management processes throughout the organization, linking risks with corporate objectives and initiatives, and managing risk to best achieve corporate goals.

If nothing else, the financial crisis of 2008 has driven home the need to improve reporting to the organization regarding risk posture and exposure. As we look to 2010 and beyond, risk and compliance processes will no doubt evolve to meet changing business and regulatory requirements. Coming in at #8 on the 2010 GRC Wish List is “Strong Reporting with Easy-to-Use Formatting.” While the value of strong reporting is clear, a few challenges remain:

Cross-domain Reporting – With the large number of risk and compliance initiatives underway at organizations today, users are struggling to deliver comprehensive enterprise risk management. Users need a way to understand and manage their risk exposure across the numerous risk and compliance domains through enterprise risk assessments and integrated reporting. GRC solutions that are developed independently in silos, produce application specific reports that only reference data local to that application and provide an incomplete picture of enterprise risk exposure.

Multiple Reporting Regimes – Companies are struggling to meet the needs of an increasing number of reporting regimes. For instance, a financial services company may have adopted the CoBIT framework for IT management, adhere to FFIEC best practices guidelines and may be looking to establish an Anti-Money Laundering (AML) program. The key challenge facing these organizations is in establishing a risk framework that integrates multiple reporting regimes and provides visibility into the state of key risks across the enterprise.

Linking Oversight with Operating Environment – Effective “governance” implies effective oversight and reporting. To deliver effective oversight, GRC professionals need to be able to link their oversight and reporting to their operating environment by drilling-down to view control status at the asset level.

Profile-based Reporting – Risk management professionals, compliance professionals and auditors frequently have access to highly confidential and sensitive information. Oftentimes, that information needs to be segmented from other stakeholders in different roles, entities, geographies or functional risk areas. GRC solutions need to provide a highly configurable, flexible and secure access control and security model to ensure that risk data is seen only by the right people, in the right context, at the right time.

One of the key themes that developed during 2009 was that risk management is more crucial than ever to organizations, and failing to deal with it is not an option. Companies are seeking ways to gain a more complete picture of risk, assess exposures across business lines and aggregate these into a firm-wide view. Collaboration with and support from the business lines is critical to achieve these goals as we discussed in #2 on our list: “Better Collaboration with the Business.” But if you are looking for better collaboration and you’re investing in risk management systems (#6), you probably can also relate to #9 in the 2010 GRC Wish List: “Risk Applications that are Easily Adopted by the Business.”

How do you support adoption of your risk management application by the business? Here are a couple of things you might want to consider:

Involve the business in the application selection and implementation process. Participation by the business is a great way to build commitment and you will usually find that they have some great ideas too.

Select a solution that can easily adapt to your methodology. GRC solutions should be enablers that support your risk management practices. Technology should not force your users to change the way they do business.

Deploy a solution that is intuitive and easy to use. Most business professionals are technically competent but they are not “power users.” Make sure that your risk management solution is easy to learn and use. In addition, most business people will be infrequent users, so pay particular attention to how quickly and easily users can accomplish their specific tasks.

Focus on Usability first, User Experience second. Usability focuses on the factors that affect the user’s ability to understand and do things in the application. User experience focuses on providing an engaging, fun, pleasant, empowering and inspired experience. Usability is critically important for your business users and will greatly determine the extent to which they adopt your risk management solution. User Experience is nice, but save it for your company’s web site.

Providing a risk management solution that is easily adopted by your business users will be a key enabler for achieving actionable risk management: where risk and compliance activities are an integral part of everyday business operations.

Is your current risk application enhancing your risk management practices or getting in the way? Let us know about your experiences with deploying risk management applications and what has helped or hindered their adoption.

Rounding out the 2010 GRC Wish List at #10 is “Increased Agility to Respond to New/Changes in Regulations.” While there’s a lot of talk about regulatory reform, and Gordon Burnes noted that “Regulatory Clarity” was #1 on the 2010 GRC Wish List, we may be getting closer to actual regulation this year.

President Obama, in his first State of the Union address, called for “serious financial reform.” He stated, “We can’t allow financial institutions, including those that take your deposits, to take risks that threaten the whole economy. Now, the House has already passed financial reform with many of these changes. And the lobbyists are trying to kill it. But we cannot let them win this fight. And if the bill that ends up on my desk does not meet the test of real reform, I will send it back until we get it right. We’ve got to get it right.”

As regulatory pressures continue to mount, and given that the regulatory environment will only increase in complexity, businesses that take a more practical, cross-regulatory approach to managing compliance will alleviate increasing cost and complexity while gaining valuable insight into risks to key business processes that could affect corporate performance in the form of legal action, fines and penalties or damage to company reputation.

This is where the need for “Increased Agility” comes in. Your risk and compliance processes will evolve over time to meet these changing business and regulatory requirements. Your GRC solution needs to be flexible and allow you to quickly adapt your risk and compliance management framework to meet changing requirements, while minimizing the impact on your business operations. Be careful of solutions that either force you to change your processes or develop custom extensions to the software to meet new regulations or requirements. Changes to your methodology due to an inflexible technology solution will negatively affect your ability to incorporate integrated risk management into your business operations.

Risk management is a hot topic at Davos this year. Over on the Forbes blog, Paul Maidment notes that companies are thinking about how to improve their risk management approach, prompted in part by the new SEC proxy disclosure rules, though many are opting not to have a so-called risk committee. Maidment notes that management is responsible for educating board as to the state of risk exposure in the company. We would argue that there’s a step that has to happen first: companies have to put in place an information architecture that can provide transparency to that exposure in the first place. A rat’s nest of Excel spreadsheets won’t do the job.

Coincident with Davos, PwC released their 13th annual global CEO survey which found an up uptick in CEO sentiment worldwide. The survey also found that over 83% of companies are planning ‘a major change’ to their risk management approach. This is higher that for any other aspect of their strategy, organization or operating model. Clearly, we’ve reached the tipping point on risk management. Companies that don’t address this critical area of their business risk being left behind.

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.